AWS Transfer Family访问S3加密bucket

原创

simmy 2025-05-22 14:13:49 博主文章分类：AWS ©著作权

文章标签 transfer family 加密S3 KMS 文章分类 云服务云计算

©著作权归作者所有：来自51CTO博客作者simmy的原创作品，请联系作者获取转载授权，否则将追究法律责任

S3启用了Server-side encryption (SSE-KMS)

AWS Transfer Family访问S3加密bucket_KMS

使用rclone 访问aws transfer上挂在的S3 下载或者上传文件时提示permission denied

AWS Transfer Family访问S3加密bucket_KMS_02

这时需要在AWS Transfer Family上设置KMS支持

transfer family的role更新如下policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::bucket-name"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": "arn:aws:s3:::bucket-name/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws:kms:region:aws-account:key/ID"
        }
    ]
}

需要注意的是，完成后，要更新transfer family的用户policy，因为默认会缓存着旧版的policy，因为需要打开对应user，刷新重新添加policy

AWS Transfer Family访问S3加密bucket_KMS_03